Apple flaw allows MacOS High Sierra logins without passwords

MacOS High Sierra login bug

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password.

After clicking unlock several times, it should eventually open up, no passwords necessary.

The bug was discovered by Lemi Orhan Ergin, whose Twitter profile shows him as a Turkish software developer. All you need to do is enter "root" into the username field, leave the password blank, and hit Enter a few times. The root account for your device is a superuser, with the ability to read and write files all across the system.

We can confirm the bug is present in macOS 10.13.1 and for anyone with a Mac in a public office space, you are urged to fix this by yourself, immediately. Then, click the "Join" button beside "Network Account Server" and a new panel will pop up. They can change any users' password, allowing them to log in and access things like email and browser passwords.

Click the lock in the corner.

From the account, you'll able to see everything on the Mac.

A user reported the issue earlier today, but initially it wasn't specified which version of Mac OS High Sierra was affected, what machines, or anything other than what the problem was. MacOS users may want to mitigate the issue themselves by assigning a root password or disabling the root account in System Preferences - User Groups on your Mac device.

CNET independently confirmed this security flaw exists and reached out to Apple about the issue. Edward Snowden, a key voice in the information security community after being the center of many years of National Security Agency leaks, commented on the disclosure. Then from the menu bar at the top of the screen, click on the "Edit" menu and choose "Enable Root User".

Related:

  • Google updates Sheets, Slides, and Docs for iPhone X

    Apple has launched an official YouTube channel which is meant to be the video formulation of company's tech-support dimension. These videos are pulled from Apple's main YouTube channel for viewing. 'Finally this won't happen anymore.
    YouTube deletes 150K videos that led to ad boycott

    YouTube deletes 150K videos that led to ad boycott

    He added that "a set of rules enshrined in law" are needed with an "independent regulator to enforce those rules". YouTube has been accused of failing to safeguard these children despite repeated warnings.
    Vardy and Mahrez stun Spurs at the King Power

    Vardy and Mahrez stun Spurs at the King Power

    Now fifth, Spurs could be down to seventh by the time they contend with a tricky trip to Watford on Saturday. We preview Tuesday's Premier League games , including Brighton v Crystal Palace and Leicester v Tottenham .
  • Governor affiliated to NASA attends President Uhuru Kenyatta's swearing in at Kasarani

    Governor affiliated to NASA attends President Uhuru Kenyatta's swearing in at Kasarani

    Kenyatta won a repeat presidential election on October 26 that was boycotted by Odinga, who said it would not be free and fair. Kenyatta won that poll with 98%, as his rival Raila Odinga boycotted the vote, vowing it would not be free or fair.
    Huawei says it can do better than Apple's Face ID

    Huawei says it can do better than Apple's Face ID

    However, at that time, questions were raised whether the company had turned the Face ID's "Required Attention" feature on or not. In its place we have Face ID, which allows the tenth anniversary iPhone to be unlocked with just a glance of someone's face.
    WaPo Reveals a Political Activist Faked a Roy Moore Story

    WaPo Reveals a Political Activist Faked a Roy Moore Story

    While O'Keefe refused to comment to Washington Post reporters at the time, he later came outside to speak with journalist Aaron C. Phillips admitted she had created the post and said it was for a job with the Daily Caller that had since fallen through.
  • 'Hideous' new F1 logo slammed by drivers

    'Hideous' new F1 logo slammed by drivers

    If you look at Starbucks as an example, or Coca-Cola, which has taken the condensation off its logo to enter digital. The pitch is being run by Norman ( CAMPAIGN LIVE, 11/23 ).
    Meek Mill's Attorneys File Emergency Bail Motion in Pennsylvania Superior Court

    Meek Mill's Attorneys File Emergency Bail Motion in Pennsylvania Superior Court

    What do you think of Sharpton's plans to visit Meek? Earlier the same day, buzz developed about Sharpton coming to Meek's defense. We'll continue to fight against the harsh sentencing practices that have affected Meek & millions of other POC for generations.
    Waymo Trade Secret Trial Delayed After Uber Accused of Sneakily Withholding Evidence

    Waymo Trade Secret Trial Delayed After Uber Accused of Sneakily Withholding Evidence

    The letter reportedly had several bombshell revelations, including methods that Uber instructed employees to evade investigations. Jacobs testified on Tuesday that Uber deliberately researched competitors and used technology to avoid a paper trail.
  • Epic Games is suing a child for cheating at its game

    Epic Games is suing a child for cheating at its game

    The teenager was sued after using custom botting service Addictive Cheats to take out Twitch streamers in the highly competitive game.
    SEC Championship Tickets Are On Path To Be Most Expensive Ever

    SEC Championship Tickets Are On Path To Be Most Expensive Ever

    David Greene, who finished his Georgia career starting a record 52 games, drew a distinction in two games in particular. Simply, it's highly unlikely Auburn can neutralize Nick Chubb , Sony Michel and the Georgia rushing attack again.
    Arsenal's Wenger gives a special team-talk for Christmas Jumper Day

    Arsenal's Wenger gives a special team-talk for Christmas Jumper Day

    When asked if the pair would still be at Arsenal after January, Wenger told reporters: "Yes, of course". But I've said to people before, he can't drag a team up by their laces and make them all play well.

Comments

Other news